Application/Control Number: 10/050,752 Page 2 

Art Unit: 2434 

DETAILED ACTION 

1 . The response of 8/1 8/08 was received and considered. 

2. The IDS of 8/18/08 was received and considered. 

3. Claims 1-5, 8-9, 1 1-20 & 35-50 are pending. 



Claim Objections 

4. Claims 4-5, 8-9, 11-13 & 16-20 are objected to because of the following informalities. 
Appropriate correction is required. 

a. Regarding claim 4, line 6, the limitation "second user authentication" should be 
replaced with "second user authentication method". 

b. Regarding claim 4, line 9, "authentication methods" should be replaced with "user 
authentication methods". 

c. Regarding claim 4, line 10, "first authentication" should be replaced with "first 
user authentication". 

d. Regarding claim 16, "wherein one authentication" should be replaced with 
"wherein one user authentication". 

e. Regarding claim 18, "wherein one authentication" should be replaced with 
"wherein one user authentication". 

f. Regarding claim 35, line 6, "a" should be replaced with "an". 

g. Regarding claim 35, line 8, "by" should be replaced with "from". 

h. Regarding claim 40, "the data" should be replaced with "at least some of the 
data". 
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Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

6. Claims 42-48 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non- statutory subject matter. 

i. Regarding claim 42, the claim is directed to web sites, which according to the 
specification (p. 8) are software, and hence the claimed invention does not fall within one 
of the statutory classes of invention defined under 35 U.S.C. §101. Claims 43-48 are 
rejected under similar rationale. 

Claim Rejections - 35 USC § 112 

7. The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

8. Claims 42-48 are rejected under 35 U.S.C. 1 12, first paragraph, as failing to comply with 
the written description requirement. The claim(s) contains subject matter which was not 
described in the specification in such a way as to reasonably convey to one skilled in the relevant 
art that the inventor(s), at the time the application was filed, had possession of the claimed 
invention. Regarding claims 42-48, the specification does not recite "authentication module". 

9. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

10. Claims 14-16, 18 & 49-50 are rejected under 35 U.S.C. 1 12, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

j. Regarding claims 14-15, the claims depend upon claim 10, which has been 

cancelled. 

k. Regarding claim 16, the claim recites "wherein on authentication method employs 
a fixed complex code", however, claim 4 recites that the first user authentication method 
is either something a user knows or a characteristic of the user, which does not apply to a 
fixed complex code, thus rendering the claim unclear. 

1. Regarding claim 18, the claim recites "wherein on authentication method is 
software based", however, claim 4 recites that the first user authentication method is 
either something a user knows or a characteristic of the user, which does not apply to a 
fixed complex code, thus rendering the claim unclear. 

m. Regarding claims 49 & 50, the claim recites "adding a second factor of 
authentication to a first web site having a first factor of authentication", however, a 
"factor" in the spec is a piece of data and therefore it is unclear how this method "adds" 
the data to a first web site. 

n. Regarding claims 49 & 50, it is unclear what limitation "as a function ..." 
modifies; if the receiving step is contingent upon the authorization, then it is unclear if 
the receiving step is performed. 
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o. Regarding claims 49 & 50, the limitation "transmitting data to the first web site 
indicating the user has been successfully authenticated using at least two factors of 
authentication" is unclear because the only mention of the first web site is that it has "a 
first factor of authentication". The claim does not recite a first authentication being 
performed, only an authorization. Further, it is unclear how the data from the second web 
site indicates that the user is authenticated based on at least two factors when the second 
web site only authorizes based on a single factor. 

p. Regarding claim 50, the limitation "the authorization website" (line 10) lacks 
sufficient antecedent basis. For the purposes of this action, the limitation is understood to 
read "the authentication website". 

Claim Rejections - 35 USC § 102 

1 1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

12. Claims 49-50 are rejected under 35 U.S.C. 102(b) as being anticipated by "RSA Web 
Security Portfolio - How RSA SecurlD Agents Can Secure Your Website", by RSA Security, 
Inc. (RSA). 

Regarding claim 49, RSA discloses distributing a token to a user (p. 2, ]f2 and right 
column, §RSA SecurlD Authentication Devices), providing a second website to authorize the 
user based on the token (RSA ACE/Server validates the PASSCODE, p. 2, §111, \2), receiving 
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authorization data at the second web site from the first website (receiving PASSCODE from the 
RSA ACE/ Agent to the RSA ACE/Server, p. 2, §111, T]2), the authorization data including user 
identification data (PASSCODE, p. 2, §111, ][2) as a function of the first web site (ACE/ Agent) 
authorizing the user (receiving the user ID, PIN and token code, p. 2, §111, ]|2), authorizing the 
user at the second web site (ACE/Server validates PASSCODE, p. 2, §111, ]|2) based on the token 
(token code, p. 2, §111, %2) and the user identification data (PASSCODE containing user ID and 
PIN, p. 2, §111, T[2), and if the authorization at the second website is successful (PASSCODE is 
validated, p. 2, §111, ]f2), transmitting data (inherent because RSA ACE/Agents guard access to 
web resources, p. 2, §3, ][1 and RSA ACE/Server validates the PASSCODE; i.e. there must be a 
communication from the server to the agent to allow access to services protected on the server) 
to the first web site indicating the user has been successfully authenticated using at least two 
factors (PIN and token code, p. 2, ]jl and §111, ](1) of authentication, wherein the user is granted 
access to web content (p. 2, ]f2 and right column, §RSA ACE/Agents for Web Platforms) on the 
first web site (web server protected with ACE/Agent, p. 2, §111, Tffl2-3 and p. 2, ^2 and right 
column, §RSA ACE/Agents for Web Platforms) only if the user has been authenticated using at 
least two factors of authentication (PASSCODE is validated, p. 2, ]]1 and §111, lfll 1_ 2)- 

Regarding claim 50, the claim is substantially equivalent to claim 49, but recites "a 
plurality of websites". RSA discloses a single RSA ACE/Server (authorization web site) 
employed by a plurality of web sites (ACE/Agents, p. 6, Fig. entitled "RSA SecurlD Web 
Topography). 



Double Patenting 
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13. Claims 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47 & 48 of this application conflict 
with claims 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25 & 26, respectively, of Application 
No. 1 1/678,921 . 37 CFR 1 .78(b) provides that when two or more applications filed by the same 
applicant contain conflicting claims, elimination of such claims from all but one application may 
be required in the absence of good and sufficient reason for their retention during pendency in 
more than one application. Applicant is required to either cancel the conflicting claims from all 
but one application or maintain a clear line of demarcation between the applications. See MPEP 
§ 822. 

14. A rejection based on double patenting of the "same invention" type finds its support in 
the language of 35 U.S.C. 101 which states that "whoever invents or discovers any new and 
useful process ... may obtain a patent therefor ..." (Emphasis added). Thus, the term "same 
invention," in this context, means an invention drawn to identical subject matter. See Miller v. 
Eagle Mfg. Co., 151 U.S. 186 (1894); In re Ockert, 245 F.2d 467, 1 14 USPQ 330 (CCPA 1957); 
and In re Vogel, All F.2d 438, 164 USPQ 619 (CCPA 1970). 

A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by 
canceling or amending the conflicting claims so they are no longer coextensive in scope. The 
filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 
U.S.C. 101. 

15. Claims 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47 & 48 are provisionally rejected 
under 35 U.S.C. 101 as claiming the same invention as that of claims 13, 14, 15, 16, 17, 18, 19, 
20, 21, 22, 23, 24, 25 & 26, respectively, of copending Application No. 1 1/678,921. This is a 
provisional double patenting rejection since the conflicting claims have not in fact been patented. 
However, it is noted that the '921 claims have been passed to issue. 



16. The nonstatutory double patenting rejection is based on a judicially created doctrine 
grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or 
improper timewise extension of the "right to exclude" granted by a patent and to prevent possible 
harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection 
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is appropriate where the conflicting claims are not identical, but at least one examined 
application claim is not patentably distinct from the reference claim(s) because the examined 
application claim is either anticipated by, or would have been obvious over, the reference 
claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re 
Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 
USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re 
Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 
USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1 .321(c) or 1 .321(d) may 
be used to overcome an actual or provisional rejection based on a nonstatutory double patenting 
ground provided the conflicting application or patent either is shown to be commonly owned 
with this application, or claims an invention made as a result of activities undertaken within the 
scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal 
disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 
3.73(b). 

17. Claims 4, 5, 8 & 9 are provisionally rejected on the ground of nonstatutory obviousness- 
type double patenting as being unpatentable over claim 9 of copending Application No. 
1 1/678,921. Although the conflicting claims are not identical, they are not patentably distinct 
from each other because of the following analysis: 

Regarding claim 4, the '921 application's claim 9 recites two authentication methods, the 
first being what a user knows (password, claim 9) and the second being a token distributed to a 
user (claim 8), communicating authentication data for both methods to a first web site (user 
entering token code and password, claim 8), authenticating the user at the first web site using the 
first authentication method (authenticating user based on second factor, claim 8), , if the user is 
authenticated, communicate the token-based authentication data to the second web site (passing 
. . . ., claim 8) and transmitting result of the authentication at the second web site to the first web 
site (receiving . . ., claim 8). Claim 9 specifies that a user name and password are used, as 
opposed to the instant claim 4's "something a user knows" and also specifies (in claim 8) the 
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storing of a seed value and verifying the user's token code was generated by the user's token, as 
opposed to the instant claim 4's "authenticating". However, broadening these is obvious for the 
benefit of increased breadth. Further, the instant claim 4 specifies the Internet. However, it is 
well known in the art to use the Internet to transmit data between web sites, as the world wide 
web is part of the Internet and therefore this limitation is an obvious modification of '921 's claim 
9. Lastly, '921 's claim 9 recites authorizing access per a successful authentication, where the 
instant claim 4 recites restricting access upon unsuccessful authentication. These are obvious 
modifications of each other. 

Regarding claim 5, '921 's claim 8 discloses this limitation (authenticating claim 8). 

Regarding claim 8, '921 's claim 9 discloses this limitation (passing the user's token code 
claim 9). 

Regarding claim 9, '921 's claim 9 discloses a password. 

18. In the above analysis, other differences in the claims are a matter of wording and do not 
reflect a patentable distinction based on scope. 

19. This is a provisional obviousness-type double patenting rejection because the conflicting 
claims have not in fact been patented. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL J. SIMITOSKI whose telephone number is (571)272- 
3841 . The examiner can normally be reached on Monday - Thursday, 6:45 a.m. -4:15 p.m.. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571) 272-38 1 1 . The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



October 14, 2008 

/Michael J Simitoski/ 

Primary Examiner, Art Unit 2434 



